CVE-2025-30360 is a security vulnerability in webpack-dev-server, a popular development server used alongside webpack to enable live reloading of source code during development. The vulnerability stems from improper origin validation in WebSocket connections. Specifically, prior to version 5.2.1, webpack-dev-server allowed WebSocket connections from origins specified by IP addresses without proper validation. This behavior bypasses the intended security check on the Origin header designed to prevent Cross-site WebSocket hijacking attacks, as originally highlighted in CVE-2018-14732. When a user accesses a malicious website served from an IP address using a non-Chromium browser, the attacker can exploit this flaw to establish a WebSocket connection to the webpack-dev-server running on the user's machine. Through this connection, the attacker can exfiltrate the user's source code, compromising confidentiality. The vulnerability does not require authentication but does require user interaction (visiting a malicious site). The flaw affects all versions of webpack-dev-server prior to 5.2.1, which includes a patch that properly restricts IP address origins. The CVSS 3.1 score of 6.5 (medium severity) reflects the high confidentiality impact, no impact on integrity or availability, network attack vector, low attack complexity, no privileges required, and user interaction required. No known exploits are currently reported in the wild. This vulnerability is classified under CWE-346 (Origin Validation Error), indicating a failure to properly validate the origin of WebSocket requests, leading to unauthorized data disclosure.

For European organizations, this vulnerability poses a significant risk primarily to developers and development environments using webpack-dev-server versions prior to 5.2.1. The exposure of source code can lead to intellectual property theft, leakage of sensitive business logic, and potential facilitation of further attacks such as code injection or supply chain compromise. Since webpack-dev-server is typically used in local or internal development environments, the risk is mostly to internal confidentiality rather than public-facing systems. However, organizations with remote or hybrid development setups, or those allowing developers to browse untrusted websites while running vulnerable versions, are at higher risk. The impact is heightened in sectors with strong intellectual property concerns such as software development firms, financial services, and technology companies prevalent in Europe. Additionally, the use of non-Chromium browsers (e.g., Firefox, Safari) increases susceptibility, which is relevant given diverse browser usage in Europe. While no integrity or availability impact is noted, the confidentiality breach can have downstream consequences including reputational damage and regulatory scrutiny under GDPR if sensitive data is exposed.

European organizations should immediately upgrade all instances of webpack-dev-server to version 5.2.1 or later to apply the official patch that correctly validates Origin headers, including those with IP addresses. Development teams should audit their environments to identify any use of vulnerable versions and enforce upgrade policies. Additionally, developers should be advised to avoid visiting untrusted or malicious websites while running development servers locally. Network segmentation can be employed to isolate development environments from general internet access where feasible. Implementing browser security policies or extensions that restrict WebSocket connections from untrusted origins can provide an additional layer of defense. Monitoring WebSocket traffic for unusual connections may help detect exploitation attempts. Finally, organizations should educate developers about the risks of cross-site WebSocket hijacking and encourage the use of Chromium-based browsers when possible, as the vulnerability specifically affects non-Chromium browsers.